Equifax Breach: Tips for email security and GDPR compliance

What Your Business Can Learn from the Equifax Breach

With some 145.5 million people around the globe victimized by the Equifax breach, it’s easy to focus on that enormous number. But there’s another figure looming out there: regulatory fines. These amounts promise to be at least as eye-popping as the volume of records breached.

While GDPR compliance enforcement isn’t in effect until May 2018, the Equifax debacle is a clarion call for U.S. IT pros to begin to come into compliance with – or to strengthen their adherence to – the standard.

Why? Mimecast cyber resilience expert Dan Sloshberg explains.

“In some ways, you could argue the breach came at the right time. If it had been reported after the May 2018 deadline, these massive fines could be a reality,” he says. “Obviously the level of fine is pure speculation,” but, “when fines are being enforced in May 2018, they will run up to 20 million Euros or 4% of global revenue – depending on the severity and size of the breach and what preventative steps and processes were in place. For Equifax, their global revenue is $3 billion, so they could be looking at a fine of $120 million. Depending on what steps [Equifax] did or didn’t take, this will impact what further action and fines may be applied.”

And remember, that’s on top of payouts to consumers and the impact on stock price and market capitalization that have already harmed the firm’s bottom line. Just after the breach, Equifax stock tanked 35%, draining almost $6 billion in market capitalization. With malware and a potential second breach detected, the toll will be even higher.

“Breach impact goes much further than reputation damage and recovery costs now,” he adds. “With GDPR and other similar regulations around the world, you could be liable to crippling fines that could even put you out of business.”

So what does this all mean for you?

The Take-Away for Your Business

The key lesson from the Equifax breach is clear: “Assume that if you hold data of value, attackers will stop at nothing to get at it. Assume that you will, at some point, suffer a breach,” Sloshberg asserts.

And don’t feel immune if you’re a smaller organization. “You don’t have to be big to be a target,” Sloshberg says. “Increasingly more small business are being targeted by cybercriminals. So all organizations, anywhere in the world, no matter their size must take the right precautions.” Recent data show that small businesses with 250 or fewer employees are being attacked more frequently – 43% of cybercriminals target smaller businesses, up from 18% in 2011.

“Putting in place the best protection is mandatory – including the right cyber defenses cover key vectors like email and web and employee education,” he says.

Organizations should invest now in technology and processes to limit the impact of any breach, such as application whitelisting, network segmentation and encryption. You also need a plan to

Email remains the number-one vector for cyber thugs, with more than 90% of attacks starting there. That’s because email is an easy entry and holds a massive amount of personal data. So protecting email is crucial, but spam and virus controls just aren’t sufficient safeguards anymore.

Cybercriminals deploy malicious links to steal credentials or weaponized attachments to drop malware behind the firewall. They also rely on social engineering to trick targets into transferring money to fraudulent accounts or divulging sensitive data.

“Security must keep up with these attacks, which is best achieved through a cloud solution that’s faster to iterate and updates automatically,” Sloshberg says. “The right security can help protect against a breach in the first place.”

The need for protection extends to email archive data, too.

“A key part of GDPR is the ability to locate personal data of citizens in a timely manner,” he explains. “Rapid search is a must, as is the ability to efficiently sift through vast amounts of data to find the needles in the haystack.”

Once found, data must be easy to export and even delete if requested. Cloud archiving provides the scale and speed needed to deliver on these requirements. “But not all cloud archives are created equal,” he warns. “A native cloud solution that is designed for speed, accuracy, and ease of access is key.”

Risk Management

Ultimately whether you prepare for and comply with GDPR mandates – or not – is a risk-based decision. Before choosing, determine what the potential fallout would be if you are breached and personal data is stolen

What would it cost to clean up versus protect against in the first place?

Can you put a price on the reputational damage that will occur?

Are you able to pay a fine?

What impact will that have on business operations and finances?

“The cost to defend adequately against a breach is generally always going to be lower than the cost of fallout after a breach,” Sloshberg notes. That’s true, especially for smaller enterprises. “My recommendation would be to analyze the risk associated with key business systems and processes and determine what’s needed to mitigate those risks. Organizations can then take a more informed risk-based decision.”

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox